Uniwinnicrypt ransomware charges over $550k for file recovery

April 9, 2021

The SonicWall Capture Labs threat research team have been tracking a ransomware family named Uniwinnicrypt.  This malware is aimed at large corporations and the operators charge over $550k USD in crypto (Monero and Bitcoin) for file recovery.  A custom chat site hosted on the tOr network is provided by the operators for negotiations with their victims.  However, conversations between the victims and operators are publicly accessible.


Infection cycle:


Upon infection, code is injected into grpconv.exe, iexpress.exe or write.exe.  This code performs the encryption of files on the system:


The extension “.uniwinnicrypt” is appended to all encrypted files.


HOW_FIX_FILES.htm is dropped into all directories where files were encrypted.  It contains the following message:


The tOr link leads to the following page:


After entering the requested information, the following existing conversation between a victim (not us) and the operator can be seen:


SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Uniwinnicrypt.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.